When IT Meets Politics


March 19, 2015  12:28 AM

Jim Prideaux points out ambiguity in the Budget statement on the future of Government Verify

Philip Virgo Profile: Philip Virgo
compromise, Docomo, eIDAS, fake, GCHQ, MI5, SIS

I was working on a posting on the way the budget and the parallel announcement of the Digital Communications Infrastructure strategy   should help transform the climate for investment when Jim Prideaux , one of whose concerns is the hollowing out of the security skills of Government, pointed out a splendid ambiguity in the budget statement announcement on plans to save money from rationalising IT spend: “Budget 2015 announces that, following a successful trial, the Government will implement “Gov.UK Verify” – a new way for people to prove their identity on-line when using government services – across central government“. Does this mean that the trials to date have been successful? Or does it mean that Verify will only be implemented when the trials have been successful?

Jim has blogged for me before on the strange history of the Government Verify programme and I have no doubt he will do so again. Meanwhile one of his erstwhile colleagues is trying to calculate how much it would cost to fraudulently acquire the identity of some-one dependent on benefits using the routines proposed by the suppliers whose services are currently being tested. After wading through pages of gobbledeygook he came to the conclusion that it could cost as little as £250 to acquire (via existing publicly available services) and scan the paper documentation and/or generate the digital footprint that would satisfy some of the supposedly agreed providers. I await his detailed working but this may explain why mainstream “trust” services are reluctant to get engaged – other than to certify those who they already “know” via more robust routines, including physical presence.

Jim, however, points out that Verify hasn’t got around to ‘level 3’, and the current (watered-down) level 2 (balance of probability – not properly defined) envisages doing everything online because the costs of manual paper-handling would exceed the budget: Level 1 – self asserted – doesn’t need any third party, so no justification for paying for one. He also thinks it may be easier to take over an account after it has been created because that may need no more than a quick look around the device being used for access. He is more concerned about denial of service (from failed masquerades), followed by the imbuggerance (which I assume is a spook technical term equivalent to “compromise”) of two factor authentication while a smart phone is being used for browsing and text, thus ensuring that it  adds no security.

Jim goes on as follows:

“The recent scare over another false security certificate at the heart of widely used products and services should remind us of the vulnerability of those who assume that all certification routines are equally valid. The complexity of the chain of trust in which the compromise occurred  means no-one should be surprised. After the £8M for damage caused by Companies House for a missing ‘s’, we should spare a thought for those trying to understand the liabilities for online transactions, which jurisdictions apply, whose services they can trust for what and the recourse available to them if that trust turns out to be misplaced.

How confident can you be that the Gov.UK website you visit is secure?

The supposedly monolithic gov.uk relies on a variety of chains of trust. When you get past ‘This web site does not supply ownership information’ the www.gov.uk chain (see foot of this blog details) starts in Ireland, then goes through the US. Meanwhile the chain for *.blog.gov.uk starts in Sweden, and comes via Salford. MI5.gov.uk and SIS.gov.uk use US-based certificates.

If you go to a German government site the chain is shorter and simpler, based on German certificates. Other nations can have stranger chains of trust.  www.whitehouse.gov comes to you “securely” using a trust chain that says it starts in the Irish Republic, and ends us in the US via the Netherlands.

Is this ‘security theatre’, or does it matter? Will it help to have the .uk namespace under the control of Nominet? That is if there is a way to check that the control is more than nominal?

Should you be worrying about how you can verify that you are indeed using a secure link to a trustworthy website, following the padlock (or warning triangle) in the top left. Your browser probably has a few hundred roots of trust, possibly including those from countries you’ve not heard of. By looking at ‘subject’ in further information’, you can see where the chain of trust starts in this case, and then how it follows down to where you are.

The policies under which these certificates are issued can be searched for . even if you find the right ones (and how can you be sure?) somewhere in the dense legalese, probably at paragraph 9.8, will be some modest limit for you and all other users combined, and para 9.14 will identify the relevant jurisdiction.

For commercial transactions for ordinary users, the credit card terms may be more relevant, not least because the customer only needs one. Someday it might even follow the model envisaged in the recent EU eIDAS Regulation, but what happens for the public sector/government sites that offer a secure link? Remembering that many, including the GCHQ website and transparency.number10.gov.uk do not.”

P.S. The Gov.UK chains of trust refered to by Jim appear to be as follows:

CN = *.blog.gov.uk https://identityassurance.blog.gov.uk/
OU = EssentialSSL Wildcard
OU = Domain Control Validated
is provided by

CN = EssentialSSL CA
O = COMODO CA Limited
L = Salford
ST = Greater Manchester
C = GB

which comes from
CN = AddTrust External CA Root
OU = AddTrust External TTP Network
O = AddTrust AB
C = SE

www.gov.uk says “This web site does not supply ownership information” but the chain appears to be as follows:

CN = www.gov.uk
O = Government Digital Service
L = London
ST = England
C = GB
is issued by

CN = DigiCert High Assurance CA-3
OU = www.digicert.com
O = DigiCert Inc
C = US
in turn issued by

CN = Baltimore CyberTrust Root
OU = CyberTrust
O = Baltimore
C = IE

P.P.S. A reader has just pointed out the Register Article which explains the ambiguity

March 14, 2015  7:45 PM

How anonymous should you be over the Internet? Nominet Consultation on .UK

Philip Virgo Profile: Philip Virgo
Nomnet, Notaries, Scrivenors, UK, Whois

Given the pressures to tidy up the Internet and enable those responsible for victim support and redress to track and trace and “remove” trolls, the current Nominet consultation on the collection and publication of contact data for the WHOIS register for .UK is central to the rebuilding of trust in the on-line world.

Will .UK remain as untrustworthy as at present, offering neither reasonable confidence that you are dealing with an organisation or individual subject to UK law nor that your anonymity will be protected? Or will Nominet help lead the way in rebuilding trust in the on-line world? Those who believe the latter should join and take part in the policy discussions because subjects like this are far too important to be left to the introverted community of registrars and IPR lawyers who usually dominate discussion on such subjects.

But what is “reasonable confidence”? And how can it be better provided?  

The article by Eleanor Bradley COO of Nominet summarises the context of the consultation. But the growth of registrars offering “privacy services” parallels the rising concerns over those who conceal their identities in order to abuse and prey on others. Hence my recent blogs on the need for such services, and the routines allowing otehrs to acces their files, to come under proper judicial oversight.   

It is, however, worth remembering that those traditionally responsible for checking identity in the context of authenticating legal documents in the “real” world (Notaries and Scrivenors) come under divine oversight – the Faculty Office of the Archbishop of Canterbury . Hence also my long-standing interest in the tension between those who believe that the law are given by God and apply to the State and Rulers (as with Magna Carta)  and those who believe that the State is God 


February 28, 2015  4:56 PM

Why FCC Net Neutrality judgement may have been pyhrric victory for cartel that runs the internet

Philip Virgo Profile: Philip Virgo
Broadband, btgroup, DuckDuck, Net Neutrality, PCC, Utility

In the early days of this blog, back in 2008, when I repeated the arguments that the Internet shold be seen as a cartel masquerading as anarchy it was relatively easy to find on-line references to the 1912 case that broke apart the US railroad cartel – just as it was seeking to leverage its market dominance to also control the embryonic road haulage industry. [There had been a spate of articles on the judgement when Microsoft was being investgated]

A couple of years ago the judgement became much harder to find amidst adverts irrelevant adverts triggered by the terms I used to try to find it – after the links I used the last time I referenced it no longer worked. Earlier today, having grown tired of wading through the paid entries that now preface any useful results from a Google search, I decided to try DuckDuckGo . A useful result came up instantly at the head of the list. Interestingly, when I then tried again using Google and Yahoo, having got the precise reference, I did get the same result. What I did not get was uncharged articles that put it into modern context, such as the Wikipaedia entry on Essential Facilities .

Why is this sopotentially important – including for UK discussions over the Digital Infrastructure on which modern sociaty now depends?

A couple of days ago, at an excellent  Westminster eForum event on Priorities for Broadband I heard the Director of Group Inustry Policy for BT repeating the argument that Broadband was not a utility and should not be regulated as such. Is that sustainable now that US Federal Communications Commission has ruled, albeit subject to a probable appeal to the Supreme Court, that it is a utility and should be so regulated?

The landmark FCC judgement on Net Neutrality looks like a victory for the ISP community (Google et al) over the Infrastructure Community (Verizon et al) who want to charge premium rates for privileged access to that which consumes most bandwidth. However, the decision to regulate Internet Service Providers under the US regulations for telecoms providers has profound implications. Meanwhile Google has said it is not a monopoly because it has competitors like DuckDuck . Hmmmm …

Until today I was among those who thought that Google was an “Essential Facility” – and therefore potentially liable to serious anti-trust action to stop it from spreading its tentancles as the US railroad industry was doing, when brought to heel in 1912. Now I know that I can do many, perhaps most, of my own searches faster without it. But the world, and the FCC, appears to have caught up with the arguments I heard nearly a decade ago at the Oxford Internet Institute.

I suspect that Google, as an integrated entity, has passed its zenith. But when I said, nearly a year ago, that Christmas was creeping up on the Young Turks of yesterday , I also said that I expected the Googlettes to soon be collectively worth more than Google, just as the break up of Standard Oil made the Rockefeller family even richer. Are Apple and Microsoft at risk of similar break up pressures – or does their apparent head to head competition preserve them?      
Meanwhile all three, any many others, are at risk as tax authorities around the world sharpen their knives and off-line businesses demand equality of tax treatment, on-line and off. 

Politics is about to meet IT, whether IT likes or not.


February 25, 2015  12:47 PM

No End of Jobs – how do we break out of Ground Hog Day

Philip Virgo Profile: Philip Virgo
Telecase, Telemedicine

A couple of days ago I was very sharp about forecasts of gloom, doom and mass unemployment from new technology in recent reports. 

I had forgotten quite how sharp Sir Michael Marshall, Charles Christian and myself were thirty years ago when similar arguments were in vogue. Amazon has now delivered a replacement for my last copy of what we wrote (loaned and never returned). Below is a scan of the first page of the text of “No End of Jobs”. Remember it was written in 1984, so for Japan you might read China. For West Germany you might read India.

Most of the forecasts have come true, or are well on the to coming true – save that we have imported immigrants to look after our elderly in overcrowded NHS hospitals, instead of making use of technology to enable them to live at home. One of the themes was the job creation effects of “prolonged active life”: resulting from automating records and administration to enable clinicians to spend time with patients instead of on paperwork, from the manufacture and installation of “robotics for rheumatics” to enable independent living for longer, as well as from all the telecare and telemedicine technologies that we are still talking about but not deploying.  

The obstacles to do with the organisation of funding that we identified then have still not been addressed. Indeed they may now be worse. The overheads and waste resulting from the centralisation, bureaucratisation and outsourcing of our health and welfare systems, with funding fragmented for distribution down leaky silo’d drainpipes, means we are commonly spending more to achieve less, or at least to achieve far less than recent advances in knowledge and technology should have enabled us to achieve.

I plan to scan the rest of the paper.
No end of Jobs Intro.jpg
   


February 24, 2015  11:23 AM

If you want better security – employ women. If you want to win the cyberwar – employ women

Philip Virgo Profile: Philip Virgo
Abwehr, Bletchley, CPNI, D-Day, Enigma

 

“One of the messages from President Obama’s recent cybersecurity summit was summarised by an American Banker as “We have to protect the trust of the consumer or its game over“. The latest PWC Global Economic Crime survey indicates that over half of all global CEOs are aware of the cyber problem – but more are concerned over bribery and corruption. They are right to be so concerned. Other studies show that over half of major incidents, whether fraud or “cyber” involve insiders – whether careless or malicious. And when it comes to malice the CPNI study of the Insider Theat shows that it is disproportionately men who are the risk.

Most CEOs are already only too well aware of the risks. They have no need for yet another patronising awareness campaign. But what should they actually do?

I have already blogged on part of the answer: select and retrain those you already trust rather than hire short stay compliance officers and security staff of unknown probity. Hence also my recurrent calls for inputs to my exercise with the Tech Partnership on the skills with which they need to be retrained. I am now coming to the end of that exercise and am due next week (inputs still welcome) to report on who should be trusted to help specify and deliver the training modules neeeded – particularly for those planning, developing, installing and running the organisations Identity and Access Management processes and technologies: the key point of vulnerability.

However, another message has come through at many of the meetings I have been attending. And it does not appear to be at all popular when I point it out.

Men are usually at the heart of the problem. Women are usually at the heart of the answer.

Yes there are some female hackers and fraudsters but almost all malicious leaks and attacks involve men, as do most of the accidental leakages and system failures. More-over the proportions are not explained simply by the proportion of men and women in roles where they can undermine or bypass systems, make mistakes or take unnecessary risks.

When it comes to non-malicious risk, the story of Bletchley Park is apposite. It was 80% female, including some of the top code breakers  but we only know what was done there because some of the men craved public recognition.

We now have the “Turing industry” (from films to institutes). I commend the wikipaedia entry for a summary of the real achievements of Alan Turing (as opposed to the pastiche in the Imitation Game). Meanwhile we still know almost nothing of the contribution of his fiance, Joan Clarke who became deputy head of Hut 8 when he left for the United States and went into GCHQ after the war. We know nothing of the work of Rosalind Hudson, the other named female cryptographer in Hut 8, who died in 2013 having never spoken of her work at Bletchley, save that she is named than in the list of code breakers, as opposed to the approximately 150 support staff.

That female ability to maintain security while also fighting and winning a cyberwar can also be seen with regard to the team which broke the Abwehr enigma codes, thus enabling the Double Cross operations without which the “relatively bloodless” D-Day landings might have been impossible.

Mavis Batey was only 19 when she helped save a British Supply convoy and kill 3,000 of the Italian sailors involved in the failed ambush three days (three days!!!) after she had broken the Italian Enigma code, thanks to the carelessness of a male operator who had simply pressed the letter “L” to encrypt a test  transmission. Meanwhile we know nothing of her colleague, Margaret Rock save for her letters to her brother and that she, like Joan Clarke, joined GCHQ after the war. We still know almost nothing about the other members of Dillys Fillies  the (almost) all female cryptography team which assisted Bletchey’s top (better than Turing but died in 1943) codebreaker, Dilly Knox. We do know, however, why he recruited them: better lateral thinking, teamwork and temperament.

There is a message here. I wonder who will decypher it.”


February 23, 2015  11:52 AM

How do we break out of Groundhog Day and provide broadband and digital skills fit for ALL?

Philip Virgo Profile: Philip Virgo
digichampz, Digital skills, Ofcom, Sperry

Learning for change cartoon.jpg
The stick of dynamite is labelled “Publicity Japanese Style”. The tube of sweets is labelled “First Rate Teachers”. I had no say in the cartoon and did not see it till afterwards.

The House of Lords Report on Digital skills gave me a curious feeling of “deja view” (see the date at the foot of the cartoon above) with its statement that millions of jobs are at risk from automation and its subsequent calls for digital skills for everyone and the Internet as a utility. 
Back in In 1981 the late Donald Michie had been invited to organise the annual Sperry seminar for the UK Technical Press. His theme was “Intelligent systems: the unprecedented opportunity“. The Micros in School Programe was in train and, in return for first class travel for myself and my wife to the South of France, plus a week of incredibly stimulating company, I was tasked to not only give the thinking behind it, but also think through the likely consequences. The abstract for my contribution to the resultant book read as follows:

“Most of the basic skills needed over the next hundred years can be predicted with reasonable certainty but many of the precise trades and professions cannot. “Age related careers” is an employment strategy which can handle such uncertainty. Fundamental changes to the education system are necessary. Information Technology makes these possible at affordable cost. Encouragement and favourable publicity are more effective weapons of persuasion than coercion.”

The cartoon, with which I was presented, relates to my comments, (not all recorded for posterity in either the book or the separately published political version, available on-line courtesy of Blogzilla), on the need to give average teachers the confidence to become coaches, using the new technology to help their pupils acquire skills and understanding which they did not themselves have. In other words, on the need to give priority to the “leading out” roots of education, as opposed to passing on the skills and mores of previous generations – as per the wikipaedia definition (which accurately described, then as now, the mainstream).   

The report of the House of Lords Enquiry indicates very clearly how little progress we have made in meeting that challenge. On March 12th the Real Time Club (45 years young and still reinventing itself), hosted in Houe of Lords by a member of the enquiry team, will hear from those who appear to have found out how to make a profitable and fast growing business from doing so. I look forward to hearing whether I believe their solution. My own experience in the 1980s, with organising IT awareness courses for older generations (including taking apart Apple Computers to insert graphics boards to play silly games and do basic coding, prior to playing global corporate politics over a pastiche teleconferencing network), indicates that it should be possible do so today at much lower cost than we used to charge the main boards of the companies we were helping prepare for difficult discussions on IT policy.
 
Yesterday I took the opportunity to take another look at “Cashing in on the Chips” published in 1979 (containing the original call for a Micros in Schools programme), the New Scientist review of “No End of Jobs” (*) published in 1984 and my own submission to the House of Lords Enquiry.

So how do YOU, “dear reader” help us all to break out from Goundhog day and deliver the aspirations in the House of Lords report?

1) Respond to the Ofcom Draft Annual Plan for 2015/16 by 6pm on 26th February

As I said in my previous blog, the good news is that this is first time Ofcom has indicated that it is planning to take the needs of business users (particularly SMEs who cannot afford lesed lines) seriously [see page 26 of the Draft Plan for details).

Ofcom is also planning to take a good look at fixed and mobile Not Spots (see page 32).

The plans for work on Online Child Safety are interesting (see Page 35 ) but the critical path is Age Verification. Here the Digital Policy Alliance appears to have already made good progress in assembling a team that will lead the drive for practical and credible answers – because the participants need them for marketing and moral, as well as regulatory, reasons.

Page 43 refers obliquely to the need for more work on performance measures, not just quality of service but even more interesting is the reference in the section on “Protecting onsumers from harm” (starting page 44) on the need to work with groups like the Internet Engineering Task Force on removing the vulnerabilities that enable spoofing.   

I also recommend reading the rest of the “Protecting Consumers from harm” and thinking not only how Ofcom could and should and should address the issues it raises but the roles of others in doing so. 

2) Take a look at the House of Lords report, consider how the recommendations might be implemented, then consider how you think they should be and what youc can do to help. 

There is a lot of worthy comment and generic material in the report, but when it comes to action on skills the devil is in the detail, usually in the funding and incentive mechanisms, including the performance measures and league tables used reward and recognise those meeting centrally set objectives (with which the report is peppered).

I have said (above) why those of you who are interested in remotivating staff (or teachers) for the Digital Age should try to attend the next meeting of the Real Time Club and then consider just how much (or little) this should cost using the the technologies and techniques now available – although there may still be places available for those of you near Huddersfield to get a view from the grass roots this Wednesday at the presentation of the survey on the results of the first Digichampz exercise.
 
I personally think  that by far the most important recommendation in the House of Lords report is that the Tech Partnership be tasked to lead an employer-driven review of the offers of the Further Education sector with a view to improving the apprenticeship packages on offer (Parag 314 onwards). The weakness of this recommendation is that a growing number of apprenticeships are graduate and post graduate level, linked to the High Education sector. The review should therefore encompass the actions listed in the following paragraphs on High Educations and Careers Guidance, albeit not necessarily inside the first six months

There is a lot in the report on Women in Technology and on Cybersecurity (page 36 onwards). I have commented in the past, albeit mainly en passant, on why you should employ women rather than men if you are serious about information security. I plan to return to this theme in my next blog.
     
3) If you are actively in trying to get socially and geographically inclusive Broadband to those in your Parliamentary Constituency ask your MP if he can get you an invitation,on his or her say so, to the event on “Broadband for ALL” being planning by the All Party Space Group and Digital Policy Alliance, in the House of Commons on the afternoon of 10th March. The aim is to cover the current state of play with regard to the availablity of the full range of technologies – from fibre, wifi and mobile (for social housing and inner city commercial centres) to satellite (for hill farms, rural businesses and disaster recovery – e.g. fire or flood taking out terrestrial networks). Advance notices have been sent to DPA members but the details are not yet on the website because some of the industry speakers have yet to be confirmed. 

(*) Unfortunately “No End of Jobs” is not itself on-line (I have just paid ten times the original price for a copy to supply to anyone willing to scan or digitise it). Interestingly what looked to New Scientist to be the “silliest predictions” might already have come true – but for the failure to compete “the recabling of Britain” by 2002. That was, of course, Government policy until 1997 and the introduction of Local Loop unbundling to save US bondholders, who then owned NTL and Telewest, “from taking a haircut” with a distress sale to Sky

P.S.  Now received a copy of “No End of Jobs” via Amazon and made time to scan the first page. Remember it was written in 1984, so for Japan read China. For West Germany read India. What has changed since: apart from importing immigrants to look after our elderly in overcrowded NHS hospitals, instead of making use of technology to enable them to live at home. One of the theme was the job creation effects of “Prolonged active life”: enabling clinicians to spend time with patients instead of on paperwork and deploying “robotics for rheumatics” as well as all the telecare and telemedicine technologies that we are still talking about but not deploying and enabling. 

No end of Jobs Intro.jpg
   


February 20, 2015  5:33 PM

How do I tell if this offer to get government to pay for business broadband is genuine?

Philip Virgo Profile: Philip Virgo
Broadband, Business, HMRC, Ofcom, rural, SME, Vouchers

I recently signed up to the HMRC advisory service and this morning received the e-mail below. Being a trusting individual I did NOT click on anything. Instead I visited the HMRC site on how to check whether a communication from them is genuine. I was none the wiser. However, being both paranoid and interested, I tried to find another way of getting the details. Eventually I found my way in via the “Business is Great” website although the Broadband Voucher scheme is not among those promoted on the home page.

I still do not now whether the original e-mail from HMRC was genuine but, it if was, I deduce that HMRC is more concerned to help SMEs get good broadband access than Gov.UK is concerned to promote either good security practice or the voucher scheme.

Rant over. This is a great scheme. It needs to be extended so that every rural business stuck with crapband (not just those in Wales) can use it to pay for a satellite service. Meanwhile inner city businesses in the areas covered should use it to apply for for a fibre connection: there is a routine for vouchers to be collated by alternative suppliers if BT or Virgin will not offer you anything other than a prohibitively expensive leased line. Those in areas that are not yet covered, where businesses are stuck with a choice between crapband and expensive leased lines, should be contacting their constituency MP and parliamentary candidates to lobby either for access or to work to make it easier for alternative suppliers to compete to meet your needs.

But be warned, the budget is fixed and its first come first served. We also need to get action on opening up the supply of business broadband to all. I therfore take this opportunity to remind you that the deadline for the consultation on the Ofcom Draft Annual Plan is next Thursday. The good news is that Ofcom has finally guiven priority to looking at the business broadband. There is much to do and you have to get into the appendices, with references to the work of the IETF on inter-operability standards, to realise that Ofcom is now serious about looking at UK telecoms in global context.

Meanwhile, if you are among those stuck with crapband – do take a look at the voucher scheme. If you are not covered, take a look at how many others, locally, are in the same position. If there are enough of you, one of the new generation of the alternative network providers (see the list of those participating in the scheme) might be able to serve you at an attractive cost anyway.   

Spacer Graphic

HM Revenue and CustomsSpacer Graphic

Bookmark and Share

Hello Employer,

Connection Vouchers


We’ve got up to £3,000 for you to upgrade your business’s broadband – it’s up to you to apply for it.

Find out now if you are eligible for up to £3,000 to cover the installation costs of upgrading to a faster and more reliable connection for your business. You could get a fibre optic, cable or wireless broadband connection among other options.  Most businesses pay nothing but VAT and their standard monthly charges.

Thousands of businesses in the 22 Super Connected Cities Programme are already benefitting from the scheme.  By upgrading, you could:

  • Do things faster – increase your business’s productivity,
  • Improve customer service,
  • Access new markets using video conferencing.

Please visit our website to find out if you are eligible and choose from a number of pre-defined options.

To check if you are eligible for a Growth Voucher with a grant of up to £2,000 towards the cost of expert advice, apply here. To see the full offer of government support for small businesses, click here.


February 17, 2015  10:04 AM

Will Government Verify survive the impending cybersecurity skills crisis?

Philip Virgo Profile: Philip Virgo
.gov.uk, Compliance, Crapband, crisis, cybersecurity, digichampz, e-skills, IAM, ICAEW, Skills, Verify

Few outside the community of those obsessed with digital identity will keep up to date with postings and comments on  the Gov.UK Identity Assurance Blog  but a regular reader recently drew my attention to a recent posting, on “User research – asking better questions”   .  He asked why they were relying on feedback from current trials and had not looked at the market research conducted by others, such as Experian – although he did not say which research they should have looked at.
I
 found his question interesting.  My work with the Tech Partnership (formerly e-Skills) on the training modules needed to help organsiations survive the impending cybersecurity skills crisis is largely focussed on identity and access management: IAM.  

The skills involved in IAM range from “authenticating and authorising transactions over smart phones”, through “bring your own device” to “multi-level access and authorisation in complex organisations with large numbers of customers, contractors and staff with different permissions in different locations” (e.g. airports or global banks).  A cross-cutting issue is the vetting and monitoring of those to be given which access permissions. The processes are complicated by regulatory issues (including data protection), with compliance officers themselves a significant point of weakness, because so many are in post for 18 months or less.

Most discussion of IAM is focussed on the digital components but workable systems are nearly always underpinned by rigorous people processes – except when the organisation is confident that it will not be put a significant risk from insider assisted fraud or unauthorised physical access to safety critical or secure facilities.  Where that risk is significant the systems always embed inputs from those who have done physical checks as to the identify of those to whom they have have given electronic credentials.

I am therefore unconvinced that any identity based purely on digital footprint (whether or not it includes on-line financial records) merits my trust, let alone that of those looking after my savings or of the critical national infrastructure. I am therefore not impressed by requests to provide feedback over the precise wording of a requirement to make personal financial information available in order to obtain a digital identity that is more acceptable to government that those it currently requires us to use to pay our taxes or claim benefits.

One of the problems with the original attempt to require farmers to use “Verify” for inter-actions with the Rural Payment  Agency  was the belated discovery that nearly 20% have no digital footprint – or at least no footprint discernible to the identity providers.  More-over those who have never had to borrow money and have always paid cash see no reason to provide their financial information so some-one with whom they have had no previous dealings for unknown transmission and storage. That is not to say they are digitally illiterate. They may well use mobile or satellite services to keep abreast of prices for livestock or crop or to access on-line auction sites  but because of not-spots and crapband*  have to do so from wherever they can get a signal or via their own choice of trusted  intermediaries. They are also often well aware of the risk of fraud and impersonation.

Now let us look at those most reliant on public services, including those stuck on sink estates or transient between bedsits or caravan sites, including those who share their identities which whichever member of their “extended family” they trust to  collect their benefits and do their shopping.  Hence my expectation of an all-party backlash against the “digital by default” agenda because there is a very big difference  between using technology support to provide better services at lower cost and “herding the sheep on-line to be fleeced” .   .

I am particularly concerned at the potential risk of those dependent on benefits having their identities registered on-line by fraudsters and their being unaware until left destitute.

More recently I was struck by the findings of the Digichampz Survey  conducted under an EU contract by the Digital Policy Alliance for presentation in Huddersfield  and a month later in London.

This survey is unusual in that it is based on a high response from on-line users in a poorly served (connectivity, let alone support) rural community. I do recommend looking at the actual report not just the headlines. Despite the editors comment  security and child protection were of low concern compared to getting a reliable connection at all, around half the respondents were concerned about security and a third about on-line child safety.

Now back to “Verify” – if I ever get round to applying for an identity, because I am forced to in order to (for example) do my VAT or tax returns, I will probably use the Experian service – but to call this a “digital by default” service would be a misnomer. Experian will be comparing what it is told on-line with what it has collected on me over several decades from those who would not serve me in a department store or mobile phone shop until I had signed a form permitting me to check with Experian as well as giving other proof of identity.

That is not, however, possible for a couple of my “legal” identities (as a trustee or director) because the organisations concerned have never had reason to borrow or purchase anything on credit.  I therefore expect those selling to them to require me to use a variety of rather more secure IAM systems, including those that are global and do not reply on local political agendas. I have no problem with this – provided their services are securely firewalled from each other, with my liabilities governed  by UK consumer credit  and unfair contracts legislation.

But this links back to the current cyber security skills crisis. Those selling to me have to manage and insure their risks, integrating the various IAM systems  already on the market in support of their people processes, from physical access to customer and transaction authorisation (both on-line and off-line).  I do not yet see the business case for them to regard “Verify” as anything more than an interesting experiment.   

P.S. The issues get even  more interesting when we consider controlling access to the systems controlling smart cities and those along supply chains.  There is still remarkably little attention to this area so I was delighted to learn of an event being organised at the Institute of Chartered Accountants on 25th March   

  *Crapband = “Copper, Rust And other Pollutants” between the fibre (cabinet or exchange) and the premises (home, workshop, office etc.) or the wireless aerial (for mobile or wifi connectivity).  


February 16, 2015  12:32 PM

Is VATMOSS a serious VATmess or a storm in a teacup?

Philip Virgo Profile: Philip Virgo
.gov.uk, E-commerce, FSB, VAT, VATMOSS

I have received a number of e-mails asking me to blog on the issues or “do something”, but none from those actually engaged in running the businesses supposedly affected. More-over, all the lobbying appears to be behind closed doors. The guidance on Gov.Uk indicates  that those who are already registered for VAT and use a payment service need do very little. That from the FSB  reinforces this message.

Is it correct, however, that even micro-businesses which use the same “legal identity” for sales of on-line products and services in the UK as for overseas, will now have to register and charge VAT to their domestic customers, thus putting prices up by 20%?

If so, will this lead to halting off-shore sales, a flight off-shore or guidance from the suppliers of accounting and payment services on how to legally and cheaply split the business?
 
In other words, is this attempt to reduce VAT avoidance a serious obstacle to the UK future as a location for innovative on-line start-ups or will it simply lead to more work for tax advisors and a rash of competing “VAT apps” for teenagers (and sub-teenagers) aspiring to sell their own games instead of pirating those of others?

I have no idea – hence the question?


February 14, 2015  7:42 PM

The Future of Technology

Philip Virgo Profile: Philip Virgo
Agile, amstrad, DSDM, Filetab, Gartner, IPR, RAD, RPG, vapourware, Visicalc, Word

20150214 The future of technology.png

Acknowledgements to SWardley – although I changed item 18 to read “XYZ, its so passe and never really worked anyway. ABC is where its at – and ours is great”. 

I would, however, also comment on the timescale.

When my team at the NCC Microsystems Centre  invented and defined the term “vapourware” (back in 1983), I had in mind a timescale of barely five years from birth to death of most “buzzword technologies”.

Despite the efforts of US copyright and patent trolls to slow the pace of innovation, I think that 35 years is a bit long for the life cycle of a terminology.

P.S. I have just done some “research”.

The pace of change in the early 1980s with regard to micro-computer products was unusually rapid and the life cycles of even market leaders were much shorter (e.g. the raise and fall of Visicalc ,Concurrent CPM and the Amstrad PCW) than today.

Taking a longer view, it took about a decade for the term “Agile” to replace the acronym DSDM which, in turn, had taken about a decade to replace RAD (Rapid Application development), which was a reinvention of approach behind Filetab (alias RPG, alias FPL etc.).

Filetab did indeed last 35 years before the name finally vanished from the market – with the Java version, to handle applications inter-operability within mobile phones, hidden from view.

Meanwhile Windows and Word are both approaching their 35th birthdays.

I therefore thank Mr Wardley for his insight and leave readers to ponder for themselves what determines the life cycle of the products, services, technologies (and terminologies) of today.

Is it

– entrepreneurs finding new ways to meet user needs?
– investment in research and development? public or private?
-,government supported technology (and transfer) programmes?
– corporate spend on IPR lawyers? 
– ???

Continued »


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: